All news with #beavertail tag

Job-test malware campaign shifts to public JSON dropboxes

🔎 The Contagious Interview campaign is delivering trojanized coding tests that fetch heavily obfuscated JavaScript from public JSON-storage services such as JSON Keeper, JSONSilo, and npoint.io. When executed in a Node.js test run the payloads decode and install the BeaverTail infostealer and then stage the InvisibleFerret RAT. NVISO Labs warns attackers are abusing developer trust and legitimate platforms and recommends sandboxing, auditing config files, and blocking suspicious outbound requests.

Merged BeaverTail and OtterCookie Tooling Observed in Attacks

🔍 Talos uncovered a campaign linked to the DPRK-aligned cluster Famous Chollima that used a trojanized Node.js package and a malicious VS Code extension to deliver merged BeaverTail and OtterCookie tooling. The combined JavaScript payloads include a newly observed keylogger and screenshot module alongside clipboard theft, targeted file exfiltration, remote shell access, and cryptocurrency extension stealing. Indicators, C2 addresses, Snort/ClamAV detections, and mitigation guidance are provided.

DPRK Hackers Use ClickFix to Deliver BeaverTail Malware

🛡️ GitLab Threat Intelligence observed DPRK-linked operators using ClickFix-style hiring lures to deliver the JavaScript stealer BeaverTail and its Python backdoor InvisibleFerret. The late-May 2025 wave targeted marketing and cryptocurrency trader roles via a fake Vercel-hosted hiring site that tricks victims into running OS-specific commands. Attackers deployed compiled BeaverTail binaries (pkg/PyInstaller) and used a password-protected archive to stage Python dependencies, suggesting tactical refinement and expanded targeting.